Steve Jones is the editor of SQLServerCentral.com and visits a wide variety of data related topics in his daily editorial. Steve has spent years working as a DBA and general purpose Windows administrator, primarily working with SQL Server since it was ported from Sybase in 1990. You can follow Steve on Twitter at twitter.com/way0utwest

“The hashing alone being MD5 tells me that they really don’t care about their passwords too much, so it’s probably some pre-generated site.”

That was from this article on an Anatomy of a Hack. It’s an interesting quote, and it shows a few things.

First, we have a history issue with our frameworks and the lack of updates as we learn more about a technology, or circumstances change. This could be that frameworks are not being updated. It could be that developers are not updating their frameworks. It could be that they are downloading the wrong versions.

The bottom line is that older technologies, those that have vulnerabilities, are still being used. If you use encryption for passwords, don’t use MD5, and I’d say that SHA1 is a bad idea. If you are on a version of SQL Server prior to 2012, SHA2 is not available, but with the SQL CLR and SHA2 in .NET, you can write your own.